[Snort-users] Snort multiple sensor configuration

Stephen Reese rsreese at ...11827...
Thu Oct 9 00:16:06 EDT 2008


I've recently setup a Debian host running snort 2.8.3.1. There are
four nic's in the machine, one is a management interface and the other
three connect to various network points.

Internet (sensor) <firewall> (sensor) main network (sensor) <router>
branch networks

The first IP is the Internet so we may see everything coming at it.
The first network is the "main network", we want to see everything the
firewall misses or if any of our hosts are being naughty so there is a
sensor on that side of the firewall.
The other networks that follow are all branch networks connect via T1
we want to make sure that the main network isn't sending out or
receiving anything naughty.

I'm using sessions on three Cisco switches to create the taps.

I'm currently running a process for each sensor 1-3:
$ sudo /usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -D

The basic network configuration is my question. I'm currently using
the same configuration file for all three processes.

var HOME_NET [66.15.39.1,172.31.1.0/24,172.31.2.0/24,172.31.3.0/24,172.31.4.0/24,172.31.5.0/24]
var EXTERNAL_NET !$HOME_NET

I've got the ruleset wide open so there is all kinds of alerts at this
point and I know I have to cut them back after we figure out what's
useful, but are my definitions accurate for the network layout or is
there a better method I should be following.




More information about the Snort-users mailing list